Point-of-Sale: Changes in Payment Card Processing

If you use a computerized Point-Of-Sale (POS) system in your business, you face big time changes next year.

That’s when merchants will be required to upgrade or replace with new systems and equipment, and this will include the latest software, security and encryption standards.

The Payment Card Industry, or PCI, has used standard security technology for decades. Known as the Secure Sockets Layer, or SSL, it established an encrypted link between a web server and a browser. That link was meant to ensure that all data passed between the web server and browsers remained private and integral.

Well, that’s what will change next year. According to the PCI Security Standards Council, the currently used SSL protocol cannot be fixed. There are no known methods to remediate vulnerabilities to meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels.

Reducing the number of vulnerable systems reduces potential exposure to exploits. It also might help streamline risk mitigation controls, such as enhanced monitoring of suspicious traffic.

It is critical that both small merchants and e-commerce businesses take the necessary steps to upgrade their systems. It will be necessary to remove SSL from their cardholder data environment or point of sale system to ensure their customer data is secure. If your system is not upgraded, the system will simply stop accepting credit cards.

This change is not just affecting one company or type of system. It is an industry-wide requirement. And it presents a considerable change for many merchant services companies as well as for those they service. While some companies are working to upgrade existing merchants, others will capitalize on the cost to you.

Many companies like Micros, Aloha, Radiant, NCR and others will be charging significant fees for merchant upgrades. But there are other options. TDG Merchant Solutions LLC is one source where area merchants can look for answers to complex questions and cost solutions. Call 479 471-5179 for more information.

The Payment Card Industry (PCI) is facing considerable change to its requirements within the next year. These are changes meant to address a vulnerability with SSL encryption called POODLE (which stands for “Padding Oracle On Downgraded Legacy Encryption”) . What is SSL encryption? The acronym stands for (Secure Sockets Layer) and is the standard security technology for establishing an encrypted link between a web server and a browser. The link ensures that all data passed between the web server and browsers remain private and integral.

In short, SSL encryption, which has been the standard encryption method for decades, is no longer PCI compliant due to vulnerabilities in the protocol. This is the explanation directly from the PCI Security Standards Council: “For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today… SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control…”

The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS (Transport Layer Security) no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol.

To meet the new requirements, merchants with POS (Point of Sale) systems will be required to upgrade or replace with new systems and equipment to include the latest software, security and encryption standards. When the POODLE deadline hits in the next year, the credit card processing functionality on any non-compliant equipment will STOP, so there is no way to avoid this upgrade initiative and its associated costs. What about small merchant environments?

All entity types are impacted by issues with SSL, including small merchants. It is critical that small merchants take the necessary steps to upgrade their processing equipment to remove SSL from their cardholder data environment or POS system to ensure their customer data is secure. Most small merchants will find it too costly to upgrade their current systems, (POI-Point of interaction-computer, terminal, POS, etc) and more cost effective to look for a newer updated system to utilize.

What about e-commerce environments?

Due to the nature of web-based environments, e-commerce implementations have the highest susceptibility and are therefore at immediate risk from the known vulnerabilities in SSL. Because of this, new e-commerce websites must not use or support SSL.

Reducing the number of vulnerable systems reduces potential exposure to exploits, and may also help streamline risk mitigation controls, such as enhanced monitoring of suspicious traffic. Also encourage e-commerce merchants to advise their customers to upgrade web browsers to support secure protocols.

This change is not just affecting one company or type of systems. This is an industry-wide requirement and presents a considerable change in this industry for many merchant services companies and also for those they service. While some companies are working to upgrade existing merchants, others will capitalize on the cost to you and investment it will be to your company.

Just about everyone’s POS systems are vulnerable to POODLE and will have to be upgraded prior to the deadline. If merchants do not upgrade, their systems will simply stop accepting credit cards.

Many companies like Micros, Aloha, Radiant, NCR, etc. will be charging significant fees for merchant upgrades. NOW is a great time for merchants to consider other POS options. TDG Merchant Solutions, LLC. is one source to which area merchants can turn for answers to complex questions and cost solutions. Call 479-471-5179 for more information.

Alan Foliart and his wife Debbie own TDG, a diversified company specializing in Point of Sale (POS) systems for small to medium sized businesses. www.mydestinygroup.com